Gnous/mailcow
2
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

[Web] Update libs, fix U2F for Firefox Quantum

Browse Source
This commit is contained in:
André 2017-11-21 09:33:22 +01:00
parent 1bd0d9270f
commit e1eb83ef87
18 changed files with 1113 additions and 1508 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
data/web/inc/footer.inc.php
View File

@ -40,6 +40,7 @@ $(document).ready(function() {
backdrop: 'static', backdrop: 'static',
keyboard: false keyboard: false
}); });
$('#u2f_status_auth').html('<p><span class="glyphicon glyphicon-refresh glyphicon-spin"></span> Initializing, please wait...</p>');
$('#ConfirmTFAModal').on('shown.bs.modal', function(){ $('#ConfirmTFAModal').on('shown.bs.modal', function(){
$(this).find('#token').focus(); $(this).find('#token').focus();
// If U2F // If U2F
@ -49,13 +50,12 @@ $(document).ready(function() {
cache: false, cache: false,
dataType: 'script', dataType: 'script',
url: "/api/v1/get/u2f-authentication/<?= (isset($_SESSION['pending_mailcow_cc_username'])) ? $_SESSION['pending_mailcow_cc_username'] : null; ?>", url: "/api/v1/get/u2f-authentication/<?= (isset($_SESSION['pending_mailcow_cc_username'])) ? $_SESSION['pending_mailcow_cc_username'] : null; ?>",
success: function(data){ complete: function(data){
$('#u2f_status_auth').html('<?=$lang['tfa']['waiting_usb_auth'];?>');
data; data;
}
});
setTimeout(function() { setTimeout(function() {
console.log("sign: ", req); console.log("Ready to authenticate");
u2f.sign(req, function(data) { u2f.sign(appId, challenge, registeredKeys, function(data) {
var form = document.getElementById('u2f_auth_form'); var form = document.getElementById('u2f_auth_form');
var auth = document.getElementById('u2f_auth_data'); var auth = document.getElementById('u2f_auth_data');
console.log("Authenticate callback", data); console.log("Authenticate callback", data);
@ -65,6 +65,8 @@ $(document).ready(function() {
}, 1000); }, 1000);
} }
}); });
}
});
<?php endif; ?> <?php endif; ?>
// Set TFA modals // Set TFA modals
@ -81,33 +83,35 @@ $(document).ready(function() {
if ($(this).val() == "u2f") { if ($(this).val() == "u2f") {
$('#U2FModal').modal('show'); $('#U2FModal').modal('show');
$("option:selected").prop("selected", false); $("option:selected").prop("selected", false);
$('#u2f_status_reg').html('<p><span class="glyphicon glyphicon-refresh glyphicon-spin"></span> Initializing, please wait...</p>');
$.ajax({ $.ajax({
type: "GET", type: "GET",
cache: false, cache: false,
dataType: 'script', dataType: 'script',
url: "/api/v1/get/u2f-registration/<?= (isset($_SESSION['mailcow_cc_username'])) ? $_SESSION['mailcow_cc_username'] : null; ?>", url: "/api/v1/get/u2f-registration/<?= (isset($_SESSION['mailcow_cc_username'])) ? $_SESSION['mailcow_cc_username'] : null; ?>",
success: function(data){ complete: function(data){
data; data;
}
});
setTimeout(function() { setTimeout(function() {
console.log("Register: ", req); console.log("Ready to register");
u2f.register([req], sigs, function(data) { $('#u2f_status_reg').html('<?=$lang['tfa']['waiting_usb_register'];?>');
u2f.register(appId, registerRequests, registeredKeys, function(deviceResponse) {
var form = document.getElementById('u2f_reg_form'); var form = document.getElementById('u2f_reg_form');
var reg = document.getElementById('u2f_register_data'); var reg = document.getElementById('u2f_register_data');
console.log("Register callback", data); console.log("Register callback: ", data);
if (data.errorCode && data.errorCode != 0) { if (deviceResponse.errorCode && deviceResponse.errorCode != 0) {
var u2f_return_code = document.getElementById('u2f_return_code'); var u2f_return_code = document.getElementById('u2f_return_code');
u2f_return_code.style.display = u2f_return_code.style.display === 'none' ? '' : null; u2f_return_code.style.display = u2f_return_code.style.display === 'none' ? '' : null;
if (data.errorCode == "4") { data.errorCode = "4 - The presented device is not eligible for this request. For a registration request this may mean that the token is already registered, and for a sign request it may mean that the token does not know the presented key handle"; } if (deviceResponse.errorCode == "4") { deviceResponse.errorCode = "4 - The presented device is not eligible for this request. For a registration request this may mean that the token is already registered, and for a sign request it may mean that the token does not know the presented key handle"; }
u2f_return_code.innerHTML = 'Error code: ' + data.errorCode; u2f_return_code.innerHTML = 'Error code: ' + deviceResponse.errorCode;
return; return;
} }
reg.value = JSON.stringify(data); reg.value = JSON.stringify(deviceResponse);
form.submit(); form.submit();
}); });
}, 1000); }, 1000);
} }
});
}
if ($(this).val() == "none") { if ($(this).val() == "none") {
$('#DisableTFAModal').modal('show'); $('#DisableTFAModal').modal('show');
$("option:selected").prop("selected", false); $("option:selected").prop("selected", false);

20
data/web/inc/lib/composer.lock generated
View File

@ -8,16 +8,16 @@
"packages": [ "packages": [
{ {
"name": "phpmailer/phpmailer", "name": "phpmailer/phpmailer",
"version": "v5.2.25", "version": "v5.2.26",
"source": { "source": {
"type": "git", "type": "git",
"url": "https://github.com/PHPMailer/PHPMailer.git", "url": "https://github.com/PHPMailer/PHPMailer.git",
"reference": "2baf20b01690fba8cf720c1ebcf9b988eda50915" "reference": "70362997bda4376378be7d92d81e2200550923f7"
}, },
"dist": { "dist": {
"type": "zip", "type": "zip",
"url": "https://api.github.com/repos/PHPMailer/PHPMailer/zipball/2baf20b01690fba8cf720c1ebcf9b988eda50915", "url": "https://api.github.com/repos/PHPMailer/PHPMailer/zipball/70362997bda4376378be7d92d81e2200550923f7",
"reference": "2baf20b01690fba8cf720c1ebcf9b988eda50915", "reference": "70362997bda4376378be7d92d81e2200550923f7",
"shasum": "" "shasum": ""
}, },
"require": { "require": {
@ -81,20 +81,20 @@
} }
], ],
"description": "PHPMailer is a full-featured email creation and transfer class for PHP", "description": "PHPMailer is a full-featured email creation and transfer class for PHP",
"time": "2017-08-28T11:12:07+00:00" "time": "2017-11-04T09:26:05+00:00"
}, },
{ {
"name": "robthree/twofactorauth", "name": "robthree/twofactorauth",
"version": "1.6", "version": "1.6.1",
"source": { "source": {
"type": "git", "type": "git",
"url": "https://github.com/RobThree/TwoFactorAuth.git", "url": "https://github.com/RobThree/TwoFactorAuth.git",
"reference": "5093ab230cd8f1296d792afb6a49545f37e7fd5a" "reference": "a77e7d822343bb88112baef808839cfae7bc5abb"
}, },
"dist": { "dist": {
"type": "zip", "type": "zip",
"url": "https://api.github.com/repos/RobThree/TwoFactorAuth/zipball/5093ab230cd8f1296d792afb6a49545f37e7fd5a", "url": "https://api.github.com/repos/RobThree/TwoFactorAuth/zipball/a77e7d822343bb88112baef808839cfae7bc5abb",
"reference": "5093ab230cd8f1296d792afb6a49545f37e7fd5a", "reference": "a77e7d822343bb88112baef808839cfae7bc5abb",
"shasum": "" "shasum": ""
}, },
"require": { "require": {
@ -132,7 +132,7 @@
"php", "php",
"tfa" "tfa"
], ],
"time": "2017-02-17T15:24:54+00:00" "time": "2017-11-06T17:55:56+00:00"
}, },
{ {
"name": "yubico/u2flib-server", "name": "yubico/u2flib-server",

122
data/web/inc/lib/vendor/composer/installed.json vendored
View File

@ -1,57 +1,4 @@
[ [
{
"name": "robthree/twofactorauth",
"version": "1.6",
"version_normalized": "1.6.0.0",
"source": {
"type": "git",
"url": "https://github.com/RobThree/TwoFactorAuth.git",
"reference": "5093ab230cd8f1296d792afb6a49545f37e7fd5a"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/RobThree/TwoFactorAuth/zipball/5093ab230cd8f1296d792afb6a49545f37e7fd5a",
"reference": "5093ab230cd8f1296d792afb6a49545f37e7fd5a",
"shasum": ""
},
"require": {
"php": ">=5.3.0"
},
"require-dev": {
"phpunit/phpunit": "@stable"
},
"time": "2017-02-17T15:24:54+00:00",
"type": "library",
"installation-source": "dist",
"autoload": {
"psr-4": {
"RobThree\\Auth\\": "lib"
}
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"MIT"
],
"authors": [
{
"name": "Rob Janssen",
"homepage": "http://robiii.me",
"role": "Developer"
}
],
"description": "Two Factor Authentication",
"homepage": "https://github.com/RobThree/TwoFactorAuth",
"keywords": [
"Authentication",
"MFA",
"Multi Factor Authentication",
"Two Factor Authentication",
"authenticator",
"authy",
"php",
"tfa"
]
},
{ {
"name": "yubico/u2flib-server", "name": "yubico/u2flib-server",
"version": "1.0.1", "version": "1.0.1",
@ -90,18 +37,71 @@
"homepage": "https://developers.yubico.com/php-u2flib-server" "homepage": "https://developers.yubico.com/php-u2flib-server"
}, },
{ {
"name": "phpmailer/phpmailer", "name": "robthree/twofactorauth",
"version": "v5.2.25", "version": "1.6.1",
"version_normalized": "5.2.25.0", "version_normalized": "1.6.1.0",
"source": { "source": {
"type": "git", "type": "git",
"url": "https://github.com/PHPMailer/PHPMailer.git", "url": "https://github.com/RobThree/TwoFactorAuth.git",
"reference": "2baf20b01690fba8cf720c1ebcf9b988eda50915" "reference": "a77e7d822343bb88112baef808839cfae7bc5abb"
}, },
"dist": { "dist": {
"type": "zip", "type": "zip",
"url": "https://api.github.com/repos/PHPMailer/PHPMailer/zipball/2baf20b01690fba8cf720c1ebcf9b988eda50915", "url": "https://api.github.com/repos/RobThree/TwoFactorAuth/zipball/a77e7d822343bb88112baef808839cfae7bc5abb",
"reference": "2baf20b01690fba8cf720c1ebcf9b988eda50915", "reference": "a77e7d822343bb88112baef808839cfae7bc5abb",
"shasum": ""
},
"require": {
"php": ">=5.3.0"
},
"require-dev": {
"phpunit/phpunit": "@stable"
},
"time": "2017-11-06T17:55:56+00:00",
"type": "library",
"installation-source": "dist",
"autoload": {
"psr-4": {
"RobThree\\Auth\\": "lib"
}
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"MIT"
],
"authors": [
{
"name": "Rob Janssen",
"homepage": "http://robiii.me",
"role": "Developer"
}
],
"description": "Two Factor Authentication",
"homepage": "https://github.com/RobThree/TwoFactorAuth",
"keywords": [
"Authentication",
"MFA",
"Multi Factor Authentication",
"Two Factor Authentication",
"authenticator",
"authy",
"php",
"tfa"
]
},
{
"name": "phpmailer/phpmailer",
"version": "v5.2.26",
"version_normalized": "5.2.26.0",
"source": {
"type": "git",
"url": "https://github.com/PHPMailer/PHPMailer.git",
"reference": "70362997bda4376378be7d92d81e2200550923f7"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/PHPMailer/PHPMailer/zipball/70362997bda4376378be7d92d81e2200550923f7",
"reference": "70362997bda4376378be7d92d81e2200550923f7",
"shasum": "" "shasum": ""
}, },
"require": { "require": {
@ -131,7 +131,7 @@
"suggest": { "suggest": {
"league/oauth2-google": "Needed for Google XOAUTH2 authentication" "league/oauth2-google": "Needed for Google XOAUTH2 authentication"
}, },
"time": "2017-08-28T11:12:07+00:00", "time": "2017-11-04T09:26:05+00:00",
"type": "library", "type": "library",
"installation-source": "dist", "installation-source": "dist",
"autoload": { "autoload": {

2
data/web/inc/lib/vendor/phpmailer/phpmailer/VERSION vendored
View File

@ -1 +1 @@
5.2.25 5.2.26

4
data/web/inc/lib/vendor/phpmailer/phpmailer/class.phpmailer.php vendored
View File

@ -31,7 +31,7 @@ class PHPMailer
* The PHPMailer Version number. * The PHPMailer Version number.
* @var string * @var string
*/ */
public $Version = '5.2.25'; public $Version = '5.2.26';
/** /**
* Email priority. * Email priority.
@ -659,6 +659,8 @@ class PHPMailer
if ($exceptions !== null) { if ($exceptions !== null) {
$this->exceptions = (boolean)$exceptions; $this->exceptions = (boolean)$exceptions;
} }
//Pick an appropriate debug output format automatically
$this->Debugoutput = (strpos(PHP_SAPI, 'cli') !== false ? 'echo' : 'html');
} }
/** /**

2
data/web/inc/lib/vendor/phpmailer/phpmailer/class.pop3.php vendored
View File

@ -34,7 +34,7 @@ class POP3
* @var string * @var string
* @access public * @access public
*/ */
public $Version = '5.2.25'; public $Version = '5.2.26';
/** /**
* Default POP3 port number. * Default POP3 port number.

4
data/web/inc/lib/vendor/phpmailer/phpmailer/class.smtp.php vendored
View File

@ -30,7 +30,7 @@ class SMTP
* The PHPMailer SMTP version number. * The PHPMailer SMTP version number.
* @var string * @var string
*/ */
const VERSION = '5.2.25'; const VERSION = '5.2.26';
/** /**
* SMTP line break constant. * SMTP line break constant.
@ -81,7 +81,7 @@ class SMTP
* @deprecated Use the `VERSION` constant instead * @deprecated Use the `VERSION` constant instead
* @see SMTP::VERSION * @see SMTP::VERSION
*/ */
public $Version = '5.2.25'; public $Version = '5.2.26';
/** /**
* SMTP server port number. * SMTP server port number.

3
data/web/inc/lib/vendor/robthree/twofactorauth/.gitignore vendored
View File

@ -184,3 +184,6 @@ FakesAssemblies/
# Composer # Composer
/vendor /vendor
# .vs
.vs/

13
data/web/inc/lib/vendor/robthree/twofactorauth/.travis.yml vendored
View File

@ -1,11 +1,18 @@
language: php language: php
dist: trusty
matrix:
include:
- php: 5.3
dist: precise
php: php:
- 5.3
- 5.4 - 5.4
- 5.5 - 5.5
- 5.6 - 5.6
- 7 - 7.0
- 7.1
- hhvm - hhvm
script: phpunit --coverage-text tests script:
- if [[ "$TRAVIS_PHP_VERSION" == '5.6' ]]; then phpunit --coverage-text tests ; fi

1031
data/web/inc/lib/vendor/robthree/twofactorauth/.vs/config/applicationhost.config vendored
View File

File diff suppressed because it is too large Load Diff

2
data/web/inc/lib/vendor/robthree/twofactorauth/README.md vendored
View File

@ -10,7 +10,7 @@ PHP library for [two-factor (or multi-factor) authentication](http://en.wikipedi
## Requirements ## Requirements
* Tested on PHP 5.3, 5.4, 5.5 and 5.6, 7 and HHVM * Tested on PHP 5.3, 5.4, 5.5 and 5.6, 7.0, 7.1 and HHVM
* [cURL](http://php.net/manual/en/book.curl.php) when using the provided `GoogleQRCodeProvider` (default), `QRServerProvider` or `QRicketProvider` but you can also provide your own QR-code provider. * [cURL](http://php.net/manual/en/book.curl.php) when using the provided `GoogleQRCodeProvider` (default), `QRServerProvider` or `QRicketProvider` but you can also provide your own QR-code provider.
* [random_bytes()](http://php.net/manual/en/function.random-bytes.php), [MCrypt](http://php.net/manual/en/book.mcrypt.php), [OpenSSL](http://php.net/manual/en/book.openssl.php) or [Hash](http://php.net/manual/en/book.hash.php) depending on which built-in RNG you use (TwoFactorAuth will try to 'autodetect' and use the best available); however: feel free to provide your own (CS)RNG. * [random_bytes()](http://php.net/manual/en/function.random-bytes.php), [MCrypt](http://php.net/manual/en/book.mcrypt.php), [OpenSSL](http://php.net/manual/en/book.openssl.php) or [Hash](http://php.net/manual/en/book.hash.php) depending on which built-in RNG you use (TwoFactorAuth will try to 'autodetect' and use the best available); however: feel free to provide your own (CS)RNG.

2
data/web/inc/lib/vendor/robthree/twofactorauth/composer.json vendored
View File

@ -1,7 +1,7 @@
{ {
"name": "robthree/twofactorauth", "name": "robthree/twofactorauth",
"description": "Two Factor Authentication", "description": "Two Factor Authentication",
"version": "1.6", "version": "1.6.1",
"type": "library", "type": "library",
"keywords": [ "Authentication", "Two Factor Authentication", "Multi Factor Authentication", "TFA", "MFA", "PHP", "Authenticator", "Authy" ], "keywords": [ "Authentication", "Two Factor Authentication", "Multi Factor Authentication", "TFA", "MFA", "PHP", "Authenticator", "Authy" ],
"homepage": "https://github.com/RobThree/TwoFactorAuth", "homepage": "https://github.com/RobThree/TwoFactorAuth",

2
data/web/inc/lib/vendor/robthree/twofactorauth/lib/Providers/Time/ConvertUnixTimeDotComTimeProvider.php vendored
View File

@ -6,7 +6,7 @@ class ConvertUnixTimeDotComTimeProvider implements ITimeProvider
{ {
public function getTime() { public function getTime() {
$json = @json_decode( $json = @json_decode(
@file_get_contents('http://www.convert-unix-time.com/api?timestamp=now') @file_get_contents('http://www.convert-unix-time.com/api?timestamp=now&r=' . uniqid(null, true))
); );
if ($json === null || !is_int($json->timestamp)) if ($json === null || !is_int($json->timestamp))
throw new \TimeException('Unable to retrieve time from convert-unix-time.com'); throw new \TimeException('Unable to retrieve time from convert-unix-time.com');

3
data/web/inc/lib/vendor/robthree/twofactorauth/lib/Providers/Time/HttpTimeProvider.php vendored
View File

@ -26,7 +26,8 @@ class HttpTimeProvider implements ITimeProvider
'request_fulluri' => true, 'request_fulluri' => true,
'header' => array( 'header' => array(
'Connection: close', 'Connection: close',
'User-agent: TwoFactorAuth HttpTimeProvider (https://github.com/RobThree/TwoFactorAuth)' 'User-agent: TwoFactorAuth HttpTimeProvider (https://github.com/RobThree/TwoFactorAuth)',
'Cache-Control: no-cache'
) )
) )
); );

507
data/web/inc/lib/vendor/yubico/u2flib-server/src/u2flib_server/U2F.php.1 vendored Normal file
View File

@ -0,0 +1,507 @@
<?php
/* Copyright (c) 2014 Yubico AB
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
namespace u2flib_server;
/** Constant for the version of the u2f protocol */
const U2F_VERSION = "U2F_V2";
/** Error for the authentication message not matching any outstanding
* authentication request */
const ERR_NO_MATCHING_REQUEST = 1;
/** Error for the authentication message not matching any registration */
const ERR_NO_MATCHING_REGISTRATION = 2;
/** Error for the signature on the authentication message not verifying with
* the correct key */
const ERR_AUTHENTICATION_FAILURE = 3;
/** Error for the challenge in the registration message not matching the
* registration challenge */
const ERR_UNMATCHED_CHALLENGE = 4;
/** Error for the attestation signature on the registration message not
* verifying */
const ERR_ATTESTATION_SIGNATURE = 5;
/** Error for the attestation verification not verifying */
const ERR_ATTESTATION_VERIFICATION = 6;
/** Error for not getting good random from the system */
const ERR_BAD_RANDOM = 7;
/** Error when the counter is lower than expected */
const ERR_COUNTER_TOO_LOW = 8;
/** Error decoding public key */
const ERR_PUBKEY_DECODE = 9;
/** Error user-agent returned error */
const ERR_BAD_UA_RETURNING = 10;
/** Error old OpenSSL version */
const ERR_OLD_OPENSSL = 11;
/** @internal */
const PUBKEY_LEN = 65;
class U2F
{
/** @var string */
private $appId;
/** @var null|string */
private $attestDir;
/** @internal */
private $FIXCERTS = array(
'349bca1031f8c82c4ceca38b9cebf1a69df9fb3b94eed99eb3fb9aa3822d26e8',
'dd574527df608e47ae45fbba75a2afdd5c20fd94a02419381813cd55a2a3398f',
'1d8764f0f7cd1352df6150045c8f638e517270e8b5dda1c63ade9c2280240cae',
'd0edc9a91a1677435a953390865d208c55b3183c6759c9b5a7ff494c322558eb',
'6073c436dcd064a48127ddbf6032ac1a66fd59a0c24434f070d4e564c124c897',
'ca993121846c464d666096d35f13bf44c1b05af205f9b4a1e00cf6cc10c5e511'
);
/**
* @param string $appId Application id for the running application
* @param string|null $attestDir Directory where trusted attestation roots may be found
* @throws Error If OpenSSL older than 1.0.0 is used
*/
public function __construct($appId, $attestDir = null)
{
if(OPENSSL_VERSION_NUMBER < 0x10000000) {
throw new Error('OpenSSL has to be at least version 1.0.0, this is ' . OPENSSL_VERSION_TEXT, ERR_OLD_OPENSSL);
}
$this->appId = $appId;
$this->attestDir = $attestDir;
}
/**
* Called to get a registration request to send to a user.
* Returns an array of one registration request and a array of sign requests.
*
* @param array $registrations List of current registrations for this
* user, to prevent the user from registering the same authenticator several
* times.
* @return array An array of two elements, the first containing a
* RegisterRequest the second being an array of SignRequest
* @throws Error
*/
public function getRegisterData(array $registrations = array())
{
$challenge = $this->createChallenge();
$request = new RegisterRequest($challenge, $this->appId);
$signs = $this->getAuthenticateData($registrations);
return array($request, $signs);
}
/**
* Called to verify and unpack a registration message.
*
* @param RegisterRequest $request this is a reply to
* @param object $response response from a user
* @param bool $includeCert set to true if the attestation certificate should be
* included in the returned Registration object
* @return Registration
* @throws Error
*/
public function doRegister($request, $response, $includeCert = true)
{
if( !is_object( $request ) ) {
throw new \InvalidArgumentException('$request of doRegister() method only accepts object.');
}
if( !is_object( $response ) ) {
throw new \InvalidArgumentException('$response of doRegister() method only accepts object.');
}
if( property_exists( $response, 'errorCode') && $response->errorCode !== 0 ) {
throw new Error('User-agent returned error. Error code: ' . $response->errorCode, ERR_BAD_UA_RETURNING );
}
if( !is_bool( $includeCert ) ) {
throw new \InvalidArgumentException('$include_cert of doRegister() method only accepts boolean.');
}
$rawReg = $this->base64u_decode($response->registrationData);
$regData = array_values(unpack('C*', $rawReg));
$clientData = $this->base64u_decode($response->clientData);
$cli = json_decode($clientData);
if($cli->challenge !== $request->challenge) {
throw new Error('Registration challenge does not match', ERR_UNMATCHED_CHALLENGE );
}
$registration = new Registration();
$offs = 1;
$pubKey = substr($rawReg, $offs, PUBKEY_LEN);
$offs += PUBKEY_LEN;
// decode the pubKey to make sure it's good
$tmpKey = $this->pubkey_to_pem($pubKey);
if($tmpKey === null) {
throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE );
}
$registration->publicKey = base64_encode($pubKey);
$khLen = $regData[$offs++];
$kh = substr($rawReg, $offs, $khLen);
$offs += $khLen;
$registration->keyHandle = $this->base64u_encode($kh);
// length of certificate is stored in byte 3 and 4 (excluding the first 4 bytes)
$certLen = 4;
$certLen += ($regData[$offs + 2] << 8);
$certLen += $regData[$offs + 3];
$rawCert = $this->fixSignatureUnusedBits(substr($rawReg, $offs, $certLen));
$offs += $certLen;
$pemCert = "-----BEGIN CERTIFICATE-----\r\n";
$pemCert .= chunk_split(base64_encode($rawCert), 64);
$pemCert .= "-----END CERTIFICATE-----";
if($includeCert) {
$registration->certificate = base64_encode($rawCert);
}
if($this->attestDir) {
if(openssl_x509_checkpurpose($pemCert, -1, $this->get_certs()) !== true) {
throw new Error('Attestation certificate can not be validated', ERR_ATTESTATION_VERIFICATION );
}
}
if(!openssl_pkey_get_public($pemCert)) {
throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE );
}
$signature = substr($rawReg, $offs);
$dataToVerify = chr(0);
$dataToVerify .= hash('sha256', $request->appId, true);
$dataToVerify .= hash('sha256', $clientData, true);
$dataToVerify .= $kh;
$dataToVerify .= $pubKey;
if(openssl_verify($dataToVerify, $signature, $pemCert, 'sha256') === 1) {
return $registration;
} else {
throw new Error('Attestation signature does not match', ERR_ATTESTATION_SIGNATURE );
}
}
/**
* Called to get an authentication request.
*
* @param array $registrations An array of the registrations to create authentication requests for.
* @return array An array of SignRequest
* @throws Error
*/
public function getAuthenticateData(array $registrations)
{
$sigs = array();
$challenge = $this->createChallenge();
foreach ($registrations as $reg) {
if( !is_object( $reg ) ) {
throw new \InvalidArgumentException('$registrations of getAuthenticateData() method only accepts array of object.');
}
$sig = new SignRequest();
$sig->appId = $this->appId;
$sig->keyHandle = $reg->keyHandle;
$sig->challenge = $challenge;
$sigs[] = $sig;
}
return $sigs;
}
/**
* Called to verify an authentication response
*
* @param array $requests An array of outstanding authentication requests
* @param array $registrations An array of current registrations
* @param object $response A response from the authenticator
* @return Registration
* @throws Error
*
* The Registration object returned on success contains an updated counter
* that should be saved for future authentications.
* If the Error returned is ERR_COUNTER_TOO_LOW this is an indication of
* token cloning or similar and appropriate action should be taken.
*/
public function doAuthenticate(array $requests, array $registrations, $response)
{
if( !is_object( $response ) ) {
throw new \InvalidArgumentException('$response of doAuthenticate() method only accepts object.');
}
if( property_exists( $response, 'errorCode') && $response->errorCode !== 0 ) {
throw new Error('User-agent returned error. Error code: ' . $response->errorCode, ERR_BAD_UA_RETURNING );
}
/** @var object|null $req */
$req = null;
/** @var object|null $reg */
$reg = null;
$clientData = $this->base64u_decode($response->clientData);
$decodedClient = json_decode($clientData);
foreach ($requests as $req) {
if( !is_object( $req ) ) {
throw new \InvalidArgumentException('$requests of doAuthenticate() method only accepts array of object.');
}
if($req->keyHandle === $response->keyHandle && $req->challenge === $decodedClient->challenge) {
break;
}
$req = null;
}
if($req === null) {
throw new Error('No matching request found', ERR_NO_MATCHING_REQUEST );
}
foreach ($registrations as $reg) {
if( !is_object( $reg ) ) {
throw new \InvalidArgumentException('$registrations of doAuthenticate() method only accepts array of object.');
}
if($reg->keyHandle === $response->keyHandle) {
break;
}
$reg = null;
}
if($reg === null) {
throw new Error('No matching registration found', ERR_NO_MATCHING_REGISTRATION );
}
$pemKey = $this->pubkey_to_pem($this->base64u_decode($reg->publicKey));
if($pemKey === null) {
throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE );
}
$signData = $this->base64u_decode($response->signatureData);
$dataToVerify = hash('sha256', $req->appId, true);
$dataToVerify .= substr($signData, 0, 5);
$dataToVerify .= hash('sha256', $clientData, true);
$signature = substr($signData, 5);
if(openssl_verify($dataToVerify, $signature, $pemKey, 'sha256') === 1) {
$ctr = unpack("Nctr", substr($signData, 1, 4));
$counter = $ctr['ctr'];
/* TODO: wrap-around should be handled somehow.. */
if($counter > $reg->counter) {
$reg->counter = $counter;
return $reg;
} else {
throw new Error('Counter too low.', ERR_COUNTER_TOO_LOW );
}
} else {
throw new Error('Authentication failed', ERR_AUTHENTICATION_FAILURE );
}
}
/**
* @return array
*/
private function get_certs()
{
$files = array();
$dir = $this->attestDir;
if($dir && $handle = opendir($dir)) {
while(false !== ($entry = readdir($handle))) {
if(is_file("$dir/$entry")) {
$files[] = "$dir/$entry";
}
}
closedir($handle);
}
return $files;
}
/**
* @param string $data
* @return string
*/
private function base64u_encode($data)
{
return trim(strtr(base64_encode($data), '+/', '-_'), '=');
}
/**
* @param string $data
* @return string
*/
private function base64u_decode($data)
{
return base64_decode(strtr($data, '-_', '+/'));
}
/**
* @param string $key
* @return null|string
*/
private function pubkey_to_pem($key)
{
if(strlen($key) !== PUBKEY_LEN || $key[0] !== "\x04") {
return null;
}
/*
* Convert the public key to binary DER format first
* Using the ECC SubjectPublicKeyInfo OIDs from RFC 5480
*
* SEQUENCE(2 elem) 30 59
* SEQUENCE(2 elem) 30 13
* OID1.2.840.10045.2.1 (id-ecPublicKey) 06 07 2a 86 48 ce 3d 02 01
* OID1.2.840.10045.3.1.7 (secp256r1) 06 08 2a 86 48 ce 3d 03 01 07
* BIT STRING(520 bit) 03 42 ..key..
*/
$der = "\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01";
$der .= "\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42";
$der .= "\0".$key;
$pem = "-----BEGIN PUBLIC KEY-----\r\n";
$pem .= chunk_split(base64_encode($der), 64);
$pem .= "-----END PUBLIC KEY-----";
return $pem;
}
/**
* @return string
* @throws Error
*/
private function createChallenge()
{
$challenge = openssl_random_pseudo_bytes(32, $crypto_strong );
if( $crypto_strong !== true ) {
throw new Error('Unable to obtain a good source of randomness', ERR_BAD_RANDOM);
}
$challenge = $this->base64u_encode( $challenge );
return $challenge;
}
/**
* Fixes a certificate where the signature contains unused bits.
*
* @param string $cert
* @return mixed
*/
private function fixSignatureUnusedBits($cert)
{
if(in_array(hash('sha256', $cert), $this->FIXCERTS)) {
$cert[strlen($cert) - 257] = "\0";
}
return $cert;
}
}
/**
* Class for building a registration request
*
* @package u2flib_server
*/
class RegisterRequest
{
/** Protocol version */
public $version = U2F_VERSION;
/** Registration challenge */
public $challenge;
/** Application id */
public $appId;
/**
* @param string $challenge
* @param string $appId
* @internal
*/
public function __construct($challenge, $appId)
{
$this->challenge = $challenge;
$this->appId = $appId;
}
}
/**
* Class for building up an authentication request
*
* @package u2flib_server
*/
class SignRequest
{
/** Protocol version */
public $version = U2F_VERSION;
/** Authentication challenge */
public $challenge;
/** Key handle of a registered authenticator */
public $keyHandle;
/** Application id */
public $appId;
}
/**
* Class returned for successful registrations
*
* @package u2flib_server
*/
class Registration
{
/** The key handle of the registered authenticator */
public $keyHandle;
/** The public key of the registered authenticator */
public $publicKey;
/** The attestation certificate of the registered authenticator */
public $certificate;
/** The counter associated with this registration */
public $counter = -1;
}
/**
* Error class, returned on errors
*
* @package u2flib_server
*/
class Error extends \Exception
{
/**
* Override constructor and make message and code mandatory
* @param string $message
* @param int $code
* @param \Exception|null $previous
*/
public function __construct($message, $code, \Exception $previous = null) {
parent::__construct($message, $code, $previous);
}
}

2
data/web/index.php
View File

@ -73,6 +73,7 @@ $_SESSION['return_to'] = $_SERVER['REQUEST_URI'];
<?php <?php
endforeach; endforeach;
$app_links = customize('get', 'app_links'); $app_links = customize('get', 'app_links');
if (!empty($app_links)) {
foreach ($app_links as $row) { foreach ($app_links as $row) {
foreach ($row as $key => $val): foreach ($row as $key => $val):
?> ?>
@ -80,6 +81,7 @@ $_SESSION['return_to'] = $_SERVER['REQUEST_URI'];
<?php <?php
endforeach; endforeach;
} }
}
?> ?>
</div> </div>
</div> </div>

495
data/web/js/u2f-api.js
View File

@ -1,5 +1,5 @@
//Copyright 2014-2015 Google Inc. All rights reserved. //Copyright 2014-2015 Google Inc. All rights reserved.
//
//Use of this source code is governed by a BSD-style //Use of this source code is governed by a BSD-style
//license that can be found in the LICENSE file or at //license that can be found in the LICENSE file or at
//https://developers.google.com/open-source/licenses/bsd //https://developers.google.com/open-source/licenses/bsd
@ -7,20 +7,34 @@
/** /**
* @fileoverview The U2F api. * @fileoverview The U2F api.
*/ */
'use strict'; 'use strict';
/** Namespace for the U2F api.
/**
* Namespace for the U2F api.
* @type {Object} * @type {Object}
*/ */
var u2f = u2f || {}; var u2f = u2f || {};
/** /**
* The U2F extension id * FIDO U2F Javascript API Version
* @type {string} * @number
* @const
*/ */
var js_api_version;
/**
* The U2F extension id
* @const {string}
*/
// The Chrome packaged app extension ID.
// Uncomment this if you want to deploy a server instance that uses
// the package Chrome app and does not require installing the U2F Chrome extension.
u2f.EXTENSION_ID = 'kmendfapggjehodndflmmgagdbamhnfd'; u2f.EXTENSION_ID = 'kmendfapggjehodndflmmgagdbamhnfd';
// The U2F Chrome extension ID.
// Uncomment this if you want to deploy a server instance that uses
// the U2F Chrome extension to authenticate.
// u2f.EXTENSION_ID = 'pfboblefjcgdjicmnffhdgionmgcdmne';
/** /**
* Message types for messsages to/from the extension * Message types for messsages to/from the extension
@ -29,11 +43,14 @@ u2f.EXTENSION_ID = 'kmendfapggjehodndflmmgagdbamhnfd';
*/ */
u2f.MessageTypes = { u2f.MessageTypes = {
'U2F_REGISTER_REQUEST': 'u2f_register_request', 'U2F_REGISTER_REQUEST': 'u2f_register_request',
'U2F_SIGN_REQUEST': 'u2f_sign_request',
'U2F_REGISTER_RESPONSE': 'u2f_register_response', 'U2F_REGISTER_RESPONSE': 'u2f_register_response',
'U2F_SIGN_RESPONSE': 'u2f_sign_response' 'U2F_SIGN_REQUEST': 'u2f_sign_request',
'U2F_SIGN_RESPONSE': 'u2f_sign_response',
'U2F_GET_API_VERSION_REQUEST': 'u2f_get_api_version_request',
'U2F_GET_API_VERSION_RESPONSE': 'u2f_get_api_version_response'
}; };
/** /**
* Response status codes * Response status codes
* @const * @const
@ -48,17 +65,18 @@ u2f.ErrorCodes = {
'TIMEOUT': 5 'TIMEOUT': 5
}; };
/** /**
* A message type for registration requests * A message for registration requests
* @typedef {{ * @typedef {{
* type: u2f.MessageTypes, * type: u2f.MessageTypes,
* signRequests: Array<u2f.SignRequest>, * appId: ?string,
* registerRequests: ?Array<u2f.RegisterRequest>,
* timeoutSeconds: ?number, * timeoutSeconds: ?number,
* requestId: ?number * requestId: ?number
* }} * }}
*/ */
u2f.Request; u2f.U2fRequest;
/** /**
* A message for registration responses * A message for registration responses
@ -68,7 +86,8 @@ u2f.Request;
* requestId: ?number * requestId: ?number
* }} * }}
*/ */
u2f.Response; u2f.U2fResponse;
/** /**
* An error object for responses * An error object for responses
@ -79,6 +98,19 @@ u2f.Response;
*/ */
u2f.Error; u2f.Error;
/**
* Data object for a single sign request.
* @typedef {enum {BLUETOOTH_RADIO, BLUETOOTH_LOW_ENERGY, USB, NFC}}
*/
u2f.Transport;
/**
* Data object for a single sign request.
* @typedef {Array<u2f.Transport>}
*/
u2f.Transports;
/** /**
* Data object for a single sign request. * Data object for a single sign request.
* @typedef {{ * @typedef {{
@ -90,6 +122,7 @@ u2f.Error;
*/ */
u2f.SignRequest; u2f.SignRequest;
/** /**
* Data object for a sign response. * Data object for a sign response.
* @typedef {{ * @typedef {{
@ -100,26 +133,50 @@ u2f.SignRequest;
*/ */
u2f.SignResponse; u2f.SignResponse;
/** /**
* Data object for a registration request. * Data object for a registration request.
* @typedef {{ * @typedef {{
* version: string, * version: string,
* challenge: string, * challenge: string
* appId: string
* }} * }}
*/ */
u2f.RegisterRequest; u2f.RegisterRequest;
/** /**
* Data object for a registration response. * Data object for a registration response.
* @typedef {{ * @typedef {{
* registrationData: string, * version: string,
* clientData: string * keyHandle: string,
* transports: Transports,
* appId: string
* }} * }}
*/ */
u2f.RegisterResponse; u2f.RegisterResponse;
/**
* Data object for a registered key.
* @typedef {{
* version: string,
* keyHandle: string,
* transports: ?Transports,
* appId: ?string
* }}
*/
u2f.RegisteredKey;
/**
* Data object for a get API register response.
* @typedef {{
* js_api_version: number
* }}
*/
u2f.GetJsApiVersionResponse;
//Low level MessagePort API support //Low level MessagePort API support
/** /**
@ -149,6 +206,8 @@ u2f.getMessagePort = function(callback) {
}); });
} else if (u2f.isAndroidChrome_()) { } else if (u2f.isAndroidChrome_()) {
u2f.getAuthenticatorPort_(callback); u2f.getAuthenticatorPort_(callback);
} else if (u2f.isIosChrome_()) {
u2f.getIosPort_(callback);
} else { } else {
// chrome.runtime was not available at all, which is normal // chrome.runtime was not available at all, which is normal
// when this origin doesn't have access to any extensions. // when this origin doesn't have access to any extensions.
@ -167,7 +226,15 @@ u2f.isAndroidChrome_ = function() {
}; };
/** /**
* Connects directly to the extension via chrome.runtime.connect * Detect chrome running on iOS based on the browser's platform.
* @private
*/
u2f.isIosChrome_ = function() {
return ["iPhone", "iPad", "iPod"].indexOf(navigator.platform) > -1;
};
/**
* Connects directly to the extension via chrome.runtime.connect.
* @param {function(u2f.WrappedChromeRuntimePort_)} callback * @param {function(u2f.WrappedChromeRuntimePort_)} callback
* @private * @private
*/ */
@ -190,6 +257,17 @@ u2f.getAuthenticatorPort_ = function(callback) {
}, 0); }, 0);
}; };
/**
* Return a 'port' abstraction to the iOS client app.
* @param {function(u2f.WrappedIosPort_)} callback
* @private
*/
u2f.getIosPort_ = function(callback) {
setTimeout(function() {
callback(new u2f.WrappedIosPort_());
}, 0);
};
/** /**
* A wrapper for chrome.runtime.Port that is compatible with MessagePort. * A wrapper for chrome.runtime.Port that is compatible with MessagePort.
* @param {Port} port * @param {Port} port
@ -201,32 +279,67 @@ u2f.WrappedChromeRuntimePort_ = function(port) {
}; };
/** /**
* Format a return a sign request. * Format and return a sign request compliant with the JS API version supported by the extension.
* @param {Array<u2f.SignRequest>} signRequests * @param {Array<u2f.SignRequest>} signRequests
* @param {number} timeoutSeconds * @param {number} timeoutSeconds
* @param {number} reqId * @param {number} reqId
* @return {Object} * @return {Object}
*/ */
u2f.WrappedChromeRuntimePort_.prototype.formatSignRequest_ = u2f.formatSignRequest_ =
function(signRequests, timeoutSeconds, reqId) { function(appId, challenge, registeredKeys, timeoutSeconds, reqId) {
if (js_api_version === undefined || js_api_version < 1.1) {
// Adapt request to the 1.0 JS API
var signRequests = [];
for (var i = 0; i < registeredKeys.length; i++) {
signRequests[i] = {
version: registeredKeys[i].version,
challenge: challenge,
keyHandle: registeredKeys[i].keyHandle,
appId: appId
};
}
return { return {
type: u2f.MessageTypes.U2F_SIGN_REQUEST, type: u2f.MessageTypes.U2F_SIGN_REQUEST,
signRequests: signRequests, signRequests: signRequests,
timeoutSeconds: timeoutSeconds, timeoutSeconds: timeoutSeconds,
requestId: reqId requestId: reqId
}; };
}
// JS 1.1 API
return {
type: u2f.MessageTypes.U2F_SIGN_REQUEST,
appId: appId,
challenge: challenge,
registeredKeys: registeredKeys,
timeoutSeconds: timeoutSeconds,
requestId: reqId
};
}; };
/** /**
* Format a return a register request. * Format and return a register request compliant with the JS API version supported by the extension..
* @param {Array<u2f.SignRequest>} signRequests * @param {Array<u2f.SignRequest>} signRequests
* @param {Array<u2f.RegisterRequest>} signRequests * @param {Array<u2f.RegisterRequest>} signRequests
* @param {number} timeoutSeconds * @param {number} timeoutSeconds
* @param {number} reqId * @param {number} reqId
* @return {Object} * @return {Object}
*/ */
u2f.WrappedChromeRuntimePort_.prototype.formatRegisterRequest_ = u2f.formatRegisterRequest_ =
function(signRequests, registerRequests, timeoutSeconds, reqId) { function(appId, registeredKeys, registerRequests, timeoutSeconds, reqId) {
if (js_api_version === undefined || js_api_version < 1.1) {
// Adapt request to the 1.0 JS API
for (var i = 0; i < registerRequests.length; i++) {
registerRequests[i].appId = appId;
}
var signRequests = [];
for (var i = 0; i < registeredKeys.length; i++) {
signRequests[i] = {
version: registeredKeys[i].version,
challenge: registerRequests[0],
keyHandle: registeredKeys[i].keyHandle,
appId: appId
};
}
return { return {
type: u2f.MessageTypes.U2F_REGISTER_REQUEST, type: u2f.MessageTypes.U2F_REGISTER_REQUEST,
signRequests: signRequests, signRequests: signRequests,
@ -234,7 +347,18 @@ u2f.WrappedChromeRuntimePort_.prototype.formatRegisterRequest_ =
timeoutSeconds: timeoutSeconds, timeoutSeconds: timeoutSeconds,
requestId: reqId requestId: reqId
}; };
}
// JS 1.1 API
return {
type: u2f.MessageTypes.U2F_REGISTER_REQUEST,
appId: appId,
registerRequests: registerRequests,
registeredKeys: registeredKeys,
timeoutSeconds: timeoutSeconds,
requestId: reqId
}; };
};
/** /**
* Posts a message on the underlying channel. * Posts a message on the underlying channel.
@ -244,6 +368,7 @@ u2f.WrappedChromeRuntimePort_.prototype.postMessage = function(message) {
this.port_.postMessage(message); this.port_.postMessage(message);
}; };
/** /**
* Emulates the HTML 5 addEventListener interface. Works only for the * Emulates the HTML 5 addEventListener interface. Works only for the
* onmessage event, which is hooked up to the chrome.runtime.Port.onMessage. * onmessage event, which is hooked up to the chrome.runtime.Port.onMessage.
@ -278,17 +403,28 @@ u2f.WrappedAuthenticatorPort_ = function() {
* @param {Object} message * @param {Object} message
*/ */
u2f.WrappedAuthenticatorPort_.prototype.postMessage = function(message) { u2f.WrappedAuthenticatorPort_.prototype.postMessage = function(message) {
var intentLocation = /** @type {string} */ (message); var intentUrl =
document.location = intentLocation; u2f.WrappedAuthenticatorPort_.INTENT_URL_BASE_ +
';S.request=' + encodeURIComponent(JSON.stringify(message)) +
';end';
document.location = intentUrl;
}; };
/**
* Tells what type of port this is.
* @return {String} port type
*/
u2f.WrappedAuthenticatorPort_.prototype.getPortType = function() {
return "WrappedAuthenticatorPort_";
};
/** /**
* Emulates the HTML 5 addEventListener interface. * Emulates the HTML 5 addEventListener interface.
* @param {string} eventName * @param {string} eventName
* @param {function({data: Object})} handler * @param {function({data: Object})} handler
*/ */
u2f.WrappedAuthenticatorPort_.prototype.addEventListener = u2f.WrappedAuthenticatorPort_.prototype.addEventListener = function(eventName, handler) {
function(eventName, handler) {
var name = eventName.toLowerCase(); var name = eventName.toLowerCase();
if (name == 'message') { if (name == 'message') {
var self = this; var self = this;
@ -316,65 +452,11 @@ u2f.WrappedAuthenticatorPort_.prototype.onRequestUpdate_ =
if (messageObject.hasOwnProperty('data')) { if (messageObject.hasOwnProperty('data')) {
responseObject = /** @type {Object} */ ( responseObject = /** @type {Object} */ (
JSON.parse(messageObject['data'])); JSON.parse(messageObject['data']));
responseObject['requestId'] = this.requestId_;
} }
/* Sign responses from the authenticator do not conform to U2F,
* convert to U2F here. */
responseObject = this.doResponseFixups_(responseObject);
callback({'data': responseObject}); callback({'data': responseObject});
}; };
/**
* Fixup the response provided by the Authenticator to conform with
* the U2F spec.
* @param {Object} responseData
* @return {Object} the U2F compliant response object
*/
u2f.WrappedAuthenticatorPort_.prototype.doResponseFixups_ =
function(responseObject) {
if (responseObject.hasOwnProperty('responseData')) {
return responseObject;
} else if (this.requestObject_['type'] != u2f.MessageTypes.U2F_SIGN_REQUEST) {
// Only sign responses require fixups. If this is not a response
// to a sign request, then an internal error has occurred.
return {
'type': u2f.MessageTypes.U2F_REGISTER_RESPONSE,
'responseData': {
'errorCode': u2f.ErrorCodes.OTHER_ERROR,
'errorMessage': 'Internal error: invalid response from Authenticator'
}
};
}
/* Non-conformant sign response, do fixups. */
var encodedChallengeObject = responseObject['challenge'];
if (typeof encodedChallengeObject !== 'undefined') {
var challengeObject = JSON.parse(atob(encodedChallengeObject));
var serverChallenge = challengeObject['challenge'];
var challengesList = this.requestObject_['signData'];
var requestChallengeObject = null;
for (var i = 0; i < challengesList.length; i++) {
var challengeObject = challengesList[i];
if (challengeObject['keyHandle'] == responseObject['keyHandle']) {
requestChallengeObject = challengeObject;
break;
}
}
}
var responseData = {
'errorCode': responseObject['resultCode'],
'keyHandle': responseObject['keyHandle'],
'signatureData': responseObject['signature'],
'clientData': encodedChallengeObject
};
return {
'type': u2f.MessageTypes.U2F_SIGN_RESPONSE,
'responseData': responseData,
'requestId': responseObject['requestId']
}
};
/** /**
* Base URL for intents to Authenticator. * Base URL for intents to Authenticator.
* @const * @const
@ -384,123 +466,41 @@ u2f.WrappedAuthenticatorPort_.INTENT_URL_BASE_ =
'intent:#Intent;action=com.google.android.apps.authenticator.AUTHENTICATE'; 'intent:#Intent;action=com.google.android.apps.authenticator.AUTHENTICATE';
/** /**
* Format a return a sign request. * Wrap the iOS client app with a MessagePort interface.
* @param {Array<u2f.SignRequest>} signRequests * @constructor
* @param {number} timeoutSeconds (ignored for now)
* @param {number} reqId
* @return {string}
*/
u2f.WrappedAuthenticatorPort_.prototype.formatSignRequest_ =
function(signRequests, timeoutSeconds, reqId) {
if (!signRequests || signRequests.length == 0) {
return null;
}
/* TODO(fixme): stash away requestId, as the authenticator app does
* not return it for sign responses. */
this.requestId_ = reqId;
/* TODO(fixme): stash away the signRequests, to deal with the legacy
* response format returned by the Authenticator app. */
this.requestObject_ = {
'type': u2f.MessageTypes.U2F_SIGN_REQUEST,
'signData': signRequests,
'requestId': reqId,
'timeout': timeoutSeconds
};
var appId = signRequests[0]['appId'];
var intentUrl =
u2f.WrappedAuthenticatorPort_.INTENT_URL_BASE_ +
';S.appId=' + encodeURIComponent(appId) +
';S.eventId=' + reqId +
';S.challenges=' +
encodeURIComponent(
JSON.stringify(this.getBrowserDataList_(signRequests))) + ';end';
return intentUrl;
};
/**
* Get the browser data objects from the challenge list
* @param {Array} challenges list of challenges
* @return {Array} list of browser data objects
* @private * @private
*/ */
u2f.WrappedAuthenticatorPort_ u2f.WrappedIosPort_ = function() {};
.prototype.getBrowserDataList_ = function(challenges) {
return challenges /**
.map(function(challenge) { * Launch the iOS client app request
var browserData = { * @param {Object} message
'typ': 'navigator.id.getAssertion', */
'challenge': challenge['challenge'] u2f.WrappedIosPort_.prototype.postMessage = function(message) {
}; var str = JSON.stringify(message);
var challengeObject = { var url = "u2f://auth?" + encodeURI(str);
'challenge' : browserData, location.replace(url);
'keyHandle' : challenge['keyHandle']
};
return challengeObject;
});
}; };
/** /**
* Format a return a register request. * Tells what type of port this is.
* @param {Array<u2f.SignRequest>} signRequests * @return {String} port type
* @param {Array<u2f.RegisterRequest>} enrollChallenges
* @param {number} timeoutSeconds (ignored for now)
* @param {number} reqId
* @return {Object}
*/ */
u2f.WrappedAuthenticatorPort_.prototype.formatRegisterRequest_ = u2f.WrappedIosPort_.prototype.getPortType = function() {
function(signRequests, enrollChallenges, timeoutSeconds, reqId) { return "WrappedIosPort_";
if (!enrollChallenges || enrollChallenges.length == 0) {
return null;
}
// Assume the appId is the same for all enroll challenges.
var appId = enrollChallenges[0]['appId'];
var registerRequests = [];
for (var i = 0; i < enrollChallenges.length; i++) {
var registerRequest = {
'challenge': enrollChallenges[i]['challenge'],
'version': enrollChallenges[i]['version']
};
if (enrollChallenges[i]['appId'] != appId) {
// Only include the appId when it differs from the first appId.
registerRequest['appId'] = enrollChallenges[i]['appId'];
}
registerRequests.push(registerRequest);
}
var registeredKeys = [];
if (signRequests) {
for (i = 0; i < signRequests.length; i++) {
var key = {
'keyHandle': signRequests[i]['keyHandle'],
'version': signRequests[i]['version']
};
// Only include the appId when it differs from the appId that's
// being registered now.
if (signRequests[i]['appId'] != appId) {
key['appId'] = signRequests[i]['appId'];
}
registeredKeys.push(key);
}
}
var request = {
'type': u2f.MessageTypes.U2F_REGISTER_REQUEST,
'appId': appId,
'registerRequests': registerRequests,
'registeredKeys': registeredKeys,
'requestId': reqId,
'timeoutSeconds': timeoutSeconds
};
var intentUrl =
u2f.WrappedAuthenticatorPort_.INTENT_URL_BASE_ +
';S.request=' + encodeURIComponent(JSON.stringify(request)) +
';end';
/* TODO(fixme): stash away requestId, this is is not necessary for
* register requests, but here to keep parity with sign.
*/
this.requestId_ = reqId;
return intentUrl;
}; };
/**
* Emulates the HTML 5 addEventListener interface.
* @param {string} eventName
* @param {function({data: Object})} handler
*/
u2f.WrappedIosPort_.prototype.addEventListener = function(eventName, handler) {
var name = eventName.toLowerCase();
if (name !== 'message') {
console.error('WrappedIosPort only supports message');
}
};
/** /**
* Sets up an embedded trampoline iframe, sourced from the extension. * Sets up an embedded trampoline iframe, sourced from the extension.
@ -614,17 +614,45 @@ u2f.responseHandler_ = function(message) {
/** /**
* Dispatches an array of sign requests to available U2F tokens. * Dispatches an array of sign requests to available U2F tokens.
* @param {Array<u2f.SignRequest>} signRequests * If the JS API version supported by the extension is unknown, it first sends a
* message to the extension to find out the supported API version and then it sends
* the sign request.
* @param {string=} appId
* @param {string=} challenge
* @param {Array<u2f.RegisteredKey>} registeredKeys
* @param {function((u2f.Error|u2f.SignResponse))} callback * @param {function((u2f.Error|u2f.SignResponse))} callback
* @param {number=} opt_timeoutSeconds * @param {number=} opt_timeoutSeconds
*/ */
u2f.sign = function(signRequests, callback, opt_timeoutSeconds) { u2f.sign = function(appId, challenge, registeredKeys, callback, opt_timeoutSeconds) {
if (js_api_version === undefined) {
// Send a message to get the extension to JS API version, then send the actual sign request.
u2f.getApiVersion(
function (response) {
js_api_version = response['js_api_version'] === undefined ? 0 : response['js_api_version'];
console.log("Extension JS API Version: ", js_api_version);
u2f.sendSignRequest(appId, challenge, registeredKeys, callback, opt_timeoutSeconds);
});
} else {
// We know the JS API version. Send the actual sign request in the supported API version.
u2f.sendSignRequest(appId, challenge, registeredKeys, callback, opt_timeoutSeconds);
}
};
/**
* Dispatches an array of sign requests to available U2F tokens.
* @param {string=} appId
* @param {string=} challenge
* @param {Array<u2f.RegisteredKey>} registeredKeys
* @param {function((u2f.Error|u2f.SignResponse))} callback
* @param {number=} opt_timeoutSeconds
*/
u2f.sendSignRequest = function(appId, challenge, registeredKeys, callback, opt_timeoutSeconds) {
u2f.getPortSingleton_(function(port) { u2f.getPortSingleton_(function(port) {
var reqId = ++u2f.reqCounter_; var reqId = ++u2f.reqCounter_;
u2f.callbackMap_[reqId] = callback; u2f.callbackMap_[reqId] = callback;
var timeoutSeconds = (typeof opt_timeoutSeconds !== 'undefined' ? var timeoutSeconds = (typeof opt_timeoutSeconds !== 'undefined' ?
opt_timeoutSeconds : u2f.EXTENSION_TIMEOUT_SEC); opt_timeoutSeconds : u2f.EXTENSION_TIMEOUT_SEC);
var req = port.formatSignRequest_(signRequests, timeoutSeconds, reqId); var req = u2f.formatSignRequest_(appId, challenge, registeredKeys, timeoutSeconds, reqId);
port.postMessage(req); port.postMessage(req);
}); });
}; };
@ -632,20 +660,89 @@ u2f.sign = function(signRequests, callback, opt_timeoutSeconds) {
/** /**
* Dispatches register requests to available U2F tokens. An array of sign * Dispatches register requests to available U2F tokens. An array of sign
* requests identifies already registered tokens. * requests identifies already registered tokens.
* If the JS API version supported by the extension is unknown, it first sends a
* message to the extension to find out the supported API version and then it sends
* the register request.
* @param {string=} appId
* @param {Array<u2f.RegisterRequest>} registerRequests * @param {Array<u2f.RegisterRequest>} registerRequests
* @param {Array<u2f.SignRequest>} signRequests * @param {Array<u2f.RegisteredKey>} registeredKeys
* @param {function((u2f.Error|u2f.RegisterResponse))} callback * @param {function((u2f.Error|u2f.RegisterResponse))} callback
* @param {number=} opt_timeoutSeconds * @param {number=} opt_timeoutSeconds
*/ */
u2f.register = function(registerRequests, signRequests, u2f.register = function(appId, registerRequests, registeredKeys, callback, opt_timeoutSeconds) {
callback, opt_timeoutSeconds) { if (js_api_version === undefined) {
// Send a message to get the extension to JS API version, then send the actual register request.
u2f.getApiVersion(
function (response) {
js_api_version = response['js_api_version'] === undefined ? 0: response['js_api_version'];
console.log("Extension JS API Version: ", js_api_version);
u2f.sendRegisterRequest(appId, registerRequests, registeredKeys,
callback, opt_timeoutSeconds);
});
} else {
// We know the JS API version. Send the actual register request in the supported API version.
u2f.sendRegisterRequest(appId, registerRequests, registeredKeys,
callback, opt_timeoutSeconds);
}
};
/**
* Dispatches register requests to available U2F tokens. An array of sign
* requests identifies already registered tokens.
* @param {string=} appId
* @param {Array<u2f.RegisterRequest>} registerRequests
* @param {Array<u2f.RegisteredKey>} registeredKeys
* @param {function((u2f.Error|u2f.RegisterResponse))} callback
* @param {number=} opt_timeoutSeconds
*/
u2f.sendRegisterRequest = function(appId, registerRequests, registeredKeys, callback, opt_timeoutSeconds) {
u2f.getPortSingleton_(function(port) { u2f.getPortSingleton_(function(port) {
var reqId = ++u2f.reqCounter_; var reqId = ++u2f.reqCounter_;
u2f.callbackMap_[reqId] = callback; u2f.callbackMap_[reqId] = callback;
var timeoutSeconds = (typeof opt_timeoutSeconds !== 'undefined' ? var timeoutSeconds = (typeof opt_timeoutSeconds !== 'undefined' ?
opt_timeoutSeconds : u2f.EXTENSION_TIMEOUT_SEC); opt_timeoutSeconds : u2f.EXTENSION_TIMEOUT_SEC);
var req = port.formatRegisterRequest_( var req = u2f.formatRegisterRequest_(
signRequests, registerRequests, timeoutSeconds, reqId); appId, registeredKeys, registerRequests, timeoutSeconds, reqId);
port.postMessage(req);
});
};
/**
* Dispatches a message to the extension to find out the supported
* JS API version.
* If the user is on a mobile phone and is thus using Google Authenticator instead
* of the Chrome extension, don't send the request and simply return 0.
* @param {function((u2f.Error|u2f.GetJsApiVersionResponse))} callback
* @param {number=} opt_timeoutSeconds
*/
u2f.getApiVersion = function(callback, opt_timeoutSeconds) {
u2f.getPortSingleton_(function(port) {
// If we are using Android Google Authenticator or iOS client app,
// do not fire an intent to ask which JS API version to use.
if (port.getPortType) {
var apiVersion;
switch (port.getPortType()) {
case 'WrappedIosPort_':
case 'WrappedAuthenticatorPort_':
apiVersion = 1.1;
break;
default:
apiVersion = 0;
break;
}
callback({ 'js_api_version': apiVersion });
return;
}
var reqId = ++u2f.reqCounter_;
u2f.callbackMap_[reqId] = callback;
var req = {
type: u2f.MessageTypes.U2F_GET_API_VERSION_REQUEST,
timeoutSeconds: (typeof opt_timeoutSeconds !== 'undefined' ?
opt_timeoutSeconds : u2f.EXTENSION_TIMEOUT_SEC),
requestId: reqId
};
port.postMessage(req); port.postMessage(req);
}); });
}; };

25
data/web/json_api.php
View File

@ -1342,10 +1342,13 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u
case "u2f-registration": case "u2f-registration":
header('Content-Type: application/javascript'); header('Content-Type: application/javascript');
if (($_SESSION["mailcow_cc_role"] == "admin" || $_SESSION["mailcow_cc_role"] == "domainadmin") && $_SESSION["mailcow_cc_username"] == $object) { if (($_SESSION["mailcow_cc_role"] == "admin" || $_SESSION["mailcow_cc_role"] == "domainadmin") && $_SESSION["mailcow_cc_username"] == $object) {
$data = $u2f->getRegisterData(get_u2f_registrations($object)); list($req, $sigs) = $u2f->getRegisterData(get_u2f_registrations($object));
list($req, $sigs) = $data;
$_SESSION['regReq'] = json_encode($req); $_SESSION['regReq'] = json_encode($req);
echo 'var req = ' . json_encode($req) . '; var sigs = ' . json_encode($sigs) . ';'; $_SESSION['regSigs'] = json_encode($sigs);
echo 'var req = ' . json_encode($req) . ';';
echo 'var registeredKeys = ' . json_encode($sigs) . ';';
echo 'var appId = req.appId;';
echo 'var registerRequests = [{version: req.version, challenge: req.challenge}];';
} }
else { else {
return; return;
@ -1354,9 +1357,19 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u
case "u2f-authentication": case "u2f-authentication":
header('Content-Type: application/javascript'); header('Content-Type: application/javascript');
if (isset($_SESSION['pending_mailcow_cc_username']) && $_SESSION['pending_mailcow_cc_username'] == $object) { if (isset($_SESSION['pending_mailcow_cc_username']) && $_SESSION['pending_mailcow_cc_username'] == $object) {
$reqs = json_encode($u2f->getAuthenticateData(get_u2f_registrations($object))); $auth_data = $u2f->getAuthenticateData(get_u2f_registrations($object));
$_SESSION['authReq'] = $reqs; $challenge = $auth_data[0]->challenge;
echo 'var req = ' . $reqs . ';'; $appId = $auth_data[0]->appId;
foreach ($auth_data as $each) {
$key = array(); // Empty array
$key['version'] = $each->version;
$key['keyHandle'] = $each->keyHandle;
$registeredKey[] = $key;
}
$_SESSION['authReq'] = json_encode($auth_data);
echo 'var appId = "' . $appId . '";';
echo 'var challenge = ' . json_encode($challenge) . ';';
echo 'var registeredKeys = ' . json_encode($registeredKey) . ';';
} }
else { else {
return; return;